The present invention relates generally to communication systems, and more particularly, to a signature based network intrusion detection system and method.
The explosion of the Internet allows companies and individuals real time access to vast amounts of information. As Internet access costs have decreased, corporations are increasingly using the Internet for corporate data and communications. The many advantages of the Internet, such as cost and flexibility are heavily impacted by security risks. Security is increasingly becoming a critical issue in enterprise and service-provider networks as usage of public networks for data transport increases and new business applications such as e-commerce sites are deployed. Security measures are required, for example, to prevent hackers from gaining unauthorized access to a corporations information resources or shutting down an e-commerce web site via a distributed denial of service attack. Corporations continue to deploy firewalls to prevent unauthorized users from entering their networks. However, corporations are looking to additional security technologies to protect their system's vulnerability that firewalls alone cannot address.
One of these additional security measures is an intrusion detection system (IDS). As network attacks have increased in number and severity, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations. Intrusion detection allows organizations to protect their systems from threats that come with increasing network connectivity and reliance on information systems. Intrusion detection systems include software or hardware systems that automate the process of monitoring events occurring in a computer system or network, and analyzing them for signs of security problems. Intruders attempt to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. These include, for example, unauthorized users, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given to them. Intrusion detection technology is therefore, a necessary addition to every large organization's computer network security infrastructure.
Network based intrusion detection systems (NIDSs) provide network surveillance by analyzing packet data streams within the network, searching for unauthorized activity, such as attacks by hackers, and enabling users to respond to security breaches before systems are compromised. Typically, network intrusion detection systems analyze individual packets flowing through a network and can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. Network intrusion detection systems may also be configured to look at the payload within a packet to see which particular web server program is being accessed and with what options, and to raise alerts when an attacker tries to exploit a bug in such code. When unauthorized activity is detected, the intrusion detection system can send alarms to a management console or system administrator with details of the activity and may also direct other systems to cut off the unauthorized sessions.
Network intrusion detection systems may be signature based, anomaly based, or a combination of both. The signature based intrusion detection system analyzes information it gathers and compares it to a large database of attack signatures. The system looks for a specific attack that has already been documented. In the anomaly based system, a system administrator defines the baseline, or normal state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies. Conventional network intrusion detection devices are challenged with accurately detecting various intrusions hidden in ever increasing high-speed network traffic packets, either via intrusion signature matching or network traffic anomaly discovery approaches.
Conventional signature based network intrusion detection systems treat signatures as passive items. When a packet is inspected, it is matched against a list of signatures. Since a signature database often contains hundreds or thousands of signatures, it is impossible to match the signatures against every packet in real-time in order to detect all potential threats in high-speed network systems.
Furthermore, conventional packet classification techniques are not well suited for handling the diverse nature of intrusion signatures. Signature based intrusion detection systems such as Snort programs are typically configured with a set of rules to detect popular attack patterns. Signature detection systems go one step beyond packet filters in complexity by searching for an arbitrary string that can appear anywhere in the packet payload. Systems such as Snort examine one rule at a time. Each time a rule matches, Snort does a fast string search on the associated pattern using the Boyer-Moore algorithm. While the Boyer-Moore algorithm is very fast for a single string search, a single packet can match several rules with patterns, resulting in many Boyer-Moore searches. Thus, this technique does not scale with increasing rule sizes.
There is, therefore, a need for a system and method for reducing the amount of processing required for packet inspection to provide efficient signature based intrusion detection for high-speed networks.